1 # [[plugins/contrib/bibtex2html]] and [[plugins/contrib/compile]] plugins
3 *Answer to [[anarcat]] mentionning [[plugins/contrib/compile]] in the [[plugins/contrib/bibtex2html]] documentation.*
5 I do not think that the [[plugins/contrib/compile]] plugin can replace the [[plugins/contrib/bibtex2html]] plugin right now: the [[plugins/contrib/compile]] plugin compiles a document, and renders *an HTML link to* the compiled document, whereas (if I am not wrong), the [[plugins/contrib/bibtex2html]] plugin compiles a document, and renders *the content of* the compiled document (which happens to be some HTML code).
7 Right now, it is not possible for the [[plugins/contrib/compile]] plugin to render the *content* of the compiled document. This could be done by providing a `DESTCONTENT` template variable, containing the content of the compiled document. This should not be hard to implement.
9 -- [[Louis|spalax]] (author of [[plugins/contrib/compile]])
11 > Interesting! I am thinking of writing a simpler plugin (maybe called "exec") that would be a merge of the two approaches. There would be an `htmlize` hook to render arbitrary page extensions (based on the configuration) into anything with predefined pipelines. Then a `preprocess` hook would allo directives to inject links to documents or simply inline them like bibtex2html does. The plugin could be secure insofar as the pipelines configured are secure as well. Should that be merged in compile or be a separate plugin? --[[anarcat]]
13 >> This "arbitrary executable" stuff scares me, and I'm not going to merge anything
14 >> like that without a relatively paranoid review. As a result, it could take a while.
16 >> At some point when I have more time and energy I should try to write down what
17 >> ikiwiki's security model is. The short version is that the plugins shipped
18 >> with ikiwiki should never let wiki editors execute arbitrary code, even if they
19 >> have direct VCS access or can alter "safe"-flagged setup options. The ability to
20 >> alter non-"safe" setup options is equivalent to access to the uid running the
21 >> wiki, and so is the ability to alter the plugins that the wiki uses.
23 >> Defining pipelines or compilation commands in the setup file does not
24 >> *directly* contradict that, because the setup option would not be flagged
25 >> as safe, but it does provide an easy way to cause a huge
26 >> increase in attack surface, particularly when shell scripts are known to
27 >> be a difficult thing to write securely. If people want arbitrary compilation,
28 >> Perl or XML-RPC (e.g. Python) plugins are probably safer (even if they call
29 >> external commands with `IPC::Run` or `subprocess`!), and they would mean that
30 >> the authors of the arbitrary-compilation code can't have any illusions about
31 >> "oh, this isn't all that security-sensitive, I'm just writing an
34 >> I hope that ImageTragick is still fresh in everyone's minds - many of the
35 >> individual vulnerabilities there involved ImageMagick and GraphicsMagick
36 >> running arbitrary shell pipelines from delegates.xml that turned out not
37 >> to be hardened against invocation by a hostile user. --[[smcv]]
39 >>> The `exec` plugin would definitely not be marked as "safe": it
40 >>> allows wiki administrators to execute arbitrary code as the wiki
43 >>> That said, I believe it is possible to craft a configuration that
44 >>> *would* be safe to use for *users* in general. Of course, we can't
45 >>> exclude foot-shooting here: if an admin misconfigures the plugin,
46 >>> they can introduce new attack vectors. But default and sample
47 >>> configurations should be secure.
49 >>> It is with that model in mind that I wrote the bibtex2html plugin: it doesn't
50 >>> use the shell to execute bibtex2html:
52 >>> [[!format perl """my @bibtex_cmd = (qw[bibtex2html -noheader -nofooter -nobibsource -nodoc -q -o -], $near); open(PIPE, "-|", @bibtex_cmd) || error "can't open pipe to @bibtex_cmd: $!";"""]]
54 >>> I specifically tried to address that case, to make sure users
55 >>> can't execute arbitrary code even if the plugin is enabled.
57 >>> Still: it is tricky! The above pipeline could *still* be
58 >>> vulnerable to certain attacks if bibtex2html does some dangerous
59 >>> stuff on its own. For example, it could call other executables
60 >>> with the shell without checking arguments, and then the filename
61 >>> would be expanded into hostile shell commands. Even worse and
62 >>> trickier, the filename could be something like `-oclobberfile` and
63 >>> one file would be destroyed!
65 >>> bibtex2html is probably vulnerable to such an attack right now. We
66 >>> should check attachments for weird filenames and restrict what is
67 >>> allowed to upload and pass to the plugin.
69 >>> In case you haven't reviewed the [[compile]] plugin in detail,
70 >>> what struck me as an interesting model is the way it allows admin
71 >>> to configure extensions to pipeline mappings. What I had in mind
72 >>> was something like this:
75 >>> - bib: 'bibtex2html -o- %s'
76 >>> - svg: 'inkscape -o- %s'
83 >>> (forgive my YAML cluelessness, the idea above is to define a hash
84 >>> of extension -> (command) mapping.) The command would be broken up
85 >>> on spaces into an array and the `%s` element would be replaced by
86 >>> the source file, which would be forbidden to use shell
87 >>> metacharacters, including prefixed dashes. I believe such a plugin
88 >>> could be crafted to be secure with proper configuration
90 >>> Of course, it's better if there's a native plugin for
91 >>> everything. For bibtex, we need to use Text::Bibtex, for
92 >>> example. But that basically means rewriting bibtex2html in Perl,
93 >>> which not something any user can do easily. And it's an even worse
94 >>> problems for documents like Word spreadsheets or Latex
95 >>> documents. Only the native commands can do the right thing.
97 >>> A clever admin can certainly find out about such a command and
98 >>> having a way for that admin to easily hook that into ikiwiki would
99 >>> be a powerful tool, with all that implies. --[[anarcat]]